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Abstract 

This paper investigates the task solvability of mobile robot systems subject to Byzantine 
faults. We first consider the gathering problem, which requires all robots to meet in finite time 
at a non-predefined location. It is known that the solvability of Byzantine gathering strongly 
depends on a number of system attributes, such as synchrony, the number of Byzantine robots, 
scheduling strategy, obliviousness, orientation of local coordinate systems and so on. However, 
the complete characterization of the attributes making Byzantine gathering solvable still remains 
open. 

In this paper, we show strong impossibility results of Byzantine gathering. Namely, we prove 
that Byzantine gathering is impossible even if we assume one Byzantine fault, an atomic exe- 
cution system, the n-bounded centralized scheduler, non-oblivious robots, instantaneous move- 
ments and a common orientation of local coordinate systems (where n denote the number of 
correct robots). Those hypotheses are much weaker than used in previous work, inducing a 
much stronger impossibility result. 

At the core of our impossibility result is a reduction from the distributed consensus problem 
in asynchronous shared-memory systems. In more details, we newly construct a generic reduc- 
tion scheme based on the distributed BG-simulation. Interestingly, because of its versatility, we 
can easily extend our impossibility result for general pattern formation problems. 
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1 Introduction 



Motivation Robot networks have recently become a challenging research area for distributed 
computing researchers. At the core of scientific studies lies the characterization of the minimum 
robots capabilities that are necessary to achieve non-trivial tasks, such as the formation of geo- 
metric patterns, scattering, gathering, etc. The considered robots are often very weak: They are 
anonymous (i.e. that do not have any means to perform distinct tasks based on a distinguishable 
identifier), oblivious (i.e. they cannot remember past observations, computations, or movements), 
disoriented (i.e. they share neither a common coordinate system nor a common length unit), and 
most importantly dumb (i.e. they don't have any explicit mean of communication). The last 
property means that robots cannot communicate explicitly by sending messages to one another. 
Instead, their communication is indirect (or spatial): a robot 'writes' a value to the network by 
moving toward a certain position, and a robot 'reads' the state of the network by observing the 
positions of other robots in terms of its local coordinate system. 

The problem we consider in this paper is the gathering of fault-prone robots [20]. Given a 
set of oblivious robots with arbitrary initial locations and no agreement on a global coordinate 
system, the gathering problem requires that all correct robots reach and stabilize the same, but 
unknown beforehand, location. A number of solvability issues about the gathering problem are 
studied in previous works because of its fundamental importance in both theory and practice. 
One can easily find an analogy of the gathering problem to the consensus problem, and thus may 
think that its solvability issue are straightforwardly deduced from the known results about the 
consensus solvability (e.g., FLP impossibility). However, many differences lies between those two 
problems and the solvability of the gathering problem is still non-trivial. We can enumerate at 
least three factors that strongly affect the solvability of the gathering problem: (i) the absence 
of a common coordinate system, (ii) the fact that there is no explicit termination, and (Hi) the 
lack of a validity requirement. In fault-free environments, the non-triviality of the existence of a 
solution mainly results from (i) that hardens symmetry breaking. Actually, gathering is known to 
be impossible to solve with n = 2 robots in atomic-execution (ATOM) models 1 . One direction of 
the study of gathering is to explore the weaker assumptions breaking this hardness. For example, 
endowing robots with a small amount of memory [5,20], or weak agreement of local coordinate 
systems [15,16,19]. On the other hand, in fault-prone environments, the remaining two factors 
arise as the primary difference to the consensus in classical computation models. An important 
witness encouraging the difference is that the gathering problem can be solved in a certain kind of 
crash-prone asynchronous robot networks [1, 10], while the consensus cannot be solved under the 
asynchrony and one crash fault [11]. 

Our Contribution In this paper, we investigate the solvability of the gathering problem in 
robot networks subject to Byzantine faults. While crash-faulty robots just stop the execution of 
the deployed algorithm, a Byzantine-faulty robot may execute arbitrary code (including malicious 
code) and try to defeat the proper operation of correct robots. As we mentioned, the solvability of 
Byzantine gathering is quite non-trivial. Actually, the Byzantine-tolerant gathering problem still 
has the large gap between possibility and impossibility. As known results, Byzantine gathering 
is feasible only under very strong assumptions (fully-synchronous ATOM models or small number 
of robots) [1], and also the impossibility results are proved only for severe models (asynchrony, 
oblivious and uniform robots, and/or without agreement of coordinate systems) [1,10]. Filling 
this gap has remained an open question until now. In this paper, we respond negatively: Namely, 
we prove that Byzantine gathering is impossible even if we assume an ATOM models, n-bounded 
centralized scheduler, non-oblivious and non-uniform robots, and a common orientation of local 
coordinate systems, for only one Byzantine robot (where n denotes the number of correct robots). 

1 Whilc ATOM models are often called semi-synchronous models, we do not use that word because this model 
actually has no bound for the processing/moving speed of each robot. We adapt the notion of bounded schedulers 
for characterizing the bound for processing speed of robots, and thus apply the word "asynchronous ATOM models" 
to the conventional semi-synchronous models. 
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Those assumptions are much stronger than that shown in previous work, inducing a much stronger 
impossibility result. 

At the core of our impossibility result is a reduction to 1-Byzantine-resilient gathering in mobile 
robot systems from the distributed 1-crash-resilient consensus problem in asynchronous shared- 
memory systems. In more details, based on the distributed BG-simulation by Borowsky and 
Gafni [3,4], we newly construct a 1-crash-resilient consensus algorithm using any 1-Byzantine- 
resilient gathering algorithm on the system with several constraints. Thus, we can deduce impos- 
sibility results of Byzantine gathering for the model stated above. More interestingly, because of 
its versatility, we can easily extend our impossibility result for general pattern formation problems: 
We show that the impossibility also holds for a broad class of pattern formation problems including 
line and circle formation. To the best of our knowledge, this paper is the first study explicitly 
bridging algorithmic mobile robotics and conventional distributed computing theory for proving 
impossibility results. 

It is remarkable that we assume a certain kind of synchrony assumption for robot systems. 
The assumption of n-bounded scheduler restricts the relative speed of each robot (formally, re- 
bounded scheduler only allows the activation schedules where each robot is activated at most n 
times between any two consecutive activations of some robot). An interesting insight we can find 
from our result is that it is possible to trade the synchrony and Byzantine behavior of robot 
networks to the asynchrony and crash behavior of shared memory systems, which implies that the 
gap between synchronous robot networks and classical distributed computation models is as large 
as that between synchrony and asynchrony in classical models. 

Related works Since the pioneering work of Suzuki and Yamashita [20], the formation of a 
specific patterns, including the gathering and the convergence problems, by mobile robots has been 
addressed first in fault-free systems for a broad class of settings. Prencipe [18] studied the problem 
of gathering in both atomic and non-atomic movement models, and showed that the problem 
is unsolvable without additional assumptions such as being able to detect the multiplicity of a 
location (i.e., knowing if there is more than one robot in a given location). Following their work, 
the gathering and the convergence problems were considered on several restricted settings such as 
with limited visibility [2, 12], and with inaccurate sensors and movements [8, 15, 16, 19, 21]. 

The case of fault-prone robot networks was recently tackled by several academic studies. The 
faults that have been investigated fall in two categories: crash faults and Byzantine faults. The 
deterministic fault-tolerant gathering is first addressed in [1] where the authors propose a gathering 
algorithm that tolerates one crash in ATOM models with arbitrary schedulers and another algo- 
rithm working under the fully synchronous scheduling, which tolerates up to / Byzantine faults 
for n > 2/ robot systems, where n is the number of correct robots. In [10], the authors study 
the feasibility of probabilistic gathering in crash-prone and Byzantine-prone environments. It also 
improves the impossibility of Byzantine gathering, but the impossibility still relies on the weakness 
of models, including obliviousness and no agreement of coordinate systems. 

The convergence problem, which is a variation of the gathering problem, was first addressed by 
Cohen and Peleg [8] , where algorithms based on convergence to the center of gravity of the system 
are presented. Those algorithms work in non-atomic models with asynchronous schedulers. The 
study of convergence in Byzantine-prone environments are addressed by Bouzid et al. A series of 
their papers [6, 7] investigates the relationship between the maximum number of faulty robots and 
the synchrony and the atomicity of robots. 

As impossibility results are hard to get, it is often interesting to start from a small set of such 
impossibility results and derive others through reduction. The distributed BG-simulation lies as 
one of the powerful reduction schemes in distributed computing. There are many applications of 
it with a variety of modified reduction strategies [3, 4, 13, 14]. 

Roadmap The organization of the paper is as follows: In section 2, we explain the system model, 
including both robot and shared-memory models, and the problem definitions. Section 3 introduces 
our reduction scheme. To clarify the concept of our idea, this section shows a weaker version of the 
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reduction, which is be extended and generalized at Section 4. 

2 Preliminaries 

2.1 Asynchronous Shared Memory System 

We consider a single-writer multi-reader (SWMR) asynchronous shared memory system of m$ 
processes {po, • • • ,p ms -i}- The shared memory consists of a number of memory cells, one of 
which can be atomically read and written by each process. That is, we assume linearizable shared 
memory. We also employ atomic snapshot for access to the shared memory. It provides atomic read 
of all shared memory cells. Since atomic snapshot operation can be implemented by only using 
read/write operations, it gives no additional computational power to the model. Any impossibility 
result on asynchronous shared memory systems also holds even if we assume atomic snapshot 
operation. Since all of three operations to access the shared memory are performed atomically 
and instantaneously, we see it as an event in execution. To explain the order of events easily, we 
often use the notion of discrete global time. Each event is assigned the global timestamp of its 
occurrence. Since we assume linearizability, all events are consistently serialized. Thus, without 
loss of generality, we assume any two events necessarily have different timestamps. Note that the 
global time is introduced only for ease of explanation, and no process is aware of the time. 

Processes are subject to crash faults. When a process crashes, it stops all of the following 
operations and becomes silent. In this paper, we assume that only one process can be crashed. 

2.2 Consensus Problem 

In a consensus algorithm, each correct process initially proposes a value, and eventually chooses a 
decision value from the values proposed by processes so that all processes decide the same value. 
The standard specification of the consensus problem assumes that the tree following properties 
are satisfied: (i) Termination Every correct process eventually decides, (ii) Agreement No two 
correct processes decide different values, and (Hi) Validity If a process decides a value v, then, v 
is a value proposed by a process. 

Throughout this paper, we only consider the binary consensus, where only value zero or one is 
the possible proposal. It is well-known that the consensus problem is not solvable in asynchronous 
shared-memory systems with one crash fault [17]. 

Theorem 1 (Impossibility of 1-resilient Consensus) There is no binary consensus algorithm 
on the asynchronous SWMR shared-memory model even if ms = 2 and only one process can be 
crashed. 

2.3 Byzantine Mobile Robot System 

The robot system consists of n + 1 autonomous mobile robots TZ = {ro, • • • , r n+ i} for n > 2. Each 
robot is non-oblivious (it can memorize a history of execution) and can be non-uniform (all robots 
can execute different codes) 2 3 

It does not have any device for direct communication, but is capable of observing its environment 
(i.e., the positions of other robots in its local coordinate system). One robot is modeled as a point 
located on a two-dimensional space. To specify the location of each robot consistently, we use a 
global Cartesian coordinate system. Notice that this global coordinate system is introduced only 
to ease the explanations, and that each robot is not aware of it. Each robot executes the deployed 

2 Note that our non-uniformity does not means that each robot has a different identity and any other robot can 
read this identity from the observation. That is, each robot has a different identity but it can not visibly identify the 
labels of other robots. These difference are inherently important. Actually, it yields a different computational power 
to the robot system[9]. 

3 Note that the model of this paper is stronger than the standard one, which usually assumes that each robot is 
anonymous, oblivious and uniform. However our aim is proving the impossibility, and thus to assuming stronger 
assumptions gives a stronger impossibility result. 
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algorithm in computational cycles (or briefly cycles). At the beginning of a cycle, the robot observes 
the current environment (i.e., the positions of other robots) and determines the destination point 
based on the deployed algorithm. Then, the robot moves toward the computed destination 4 , which 
concludes the cycle. 

The local coordinate system of a robot is the Cartesian coordinate system whose origin is the 
current position of the robot. Moreover, x and y axes of each robot are parallel, i.e. robots share a 
common direction. We assume strong multiplicity detection for the observation of points with two 
or more robots: Each robot can detect the exact number of robots that are located at a particular 
point. 

We assume the ATOM execution model, where an execution is divided into consecutive rounds. 
The scheduler determines the set of performing robots for each round. At any round r = 0, 1, 2, • • • , 
the scheduler determines whether each robot is active or inactive. Active robots perform one cycle 
in an atomic manner, and inactive ones wait during the round. The scheduler is fair in the sense 
that every robot is activated infinitely often. In this paper, we assume that the scheduler is also 
k-bounded, which guarantees that if a robot is activated at round n and r^ [r\ < ^2), any robot 
is activated at most k times during [n,^]. We also consider another constraint for the scheduler, 
called centralized scheduler, which allows only one robot to be activated at each round. 

In our model, robot may exhibit Byzantine faults. A Byzantine robot is allowed not to follow the 
deployed algorithm, and thus behaves arbitrarily. However, if we consider the /c-bounded scheduler, 
the constraint is also incurred to faulty robots: Even a Byzantine robot may change its position at 
most k times during two consecutive activations of any correct robot. We call robots that are not 
Byzantine correct. Throughout this paper, we assume that the system has one Byzantine robot. 

In what follows, we give a formalisms of the robot model we now consider: Let S be the set of 
all possible internal states of the algorithm {Aq,A±, ■ ■ ■ A n }, where A% is the algorithm deployed 
to Ti. We can define the local state of a robot as a pair of its current internal state and its location 
in terms of global coordinate systems. A system configuration (or configuration for short), is an 
in + l)-tuple of local states where each corresponds to the local configuration of a robot. We also 
define a location configuration L[C) of C as an (n + l)-tuple of the global coordinates each of which 
corresponds to locations of each robot at C. We sometimes treat L(C) as a multiset. The location of 
robot ti at C is denoted by i"j(C). Algorithm Ai is defined as a mapping A% : {M 2 } n+1 x S — > M? x S. 
That is, each robot computes the destination and its poststate from the observation result (i.e., the 
multiset of locations in terms of its local coordinate system) and the current internal state. 

An execution of an algorithm is a sequence of configurations Co, C\, C2, • • • where Cj+i can be 
obtained from Cj by making a number of robots move following the deployed algorithm and by 
changing the location of Byzantine robot arbitrarily. 

2.4 Gathering Problem 

The gathering problem must ensure that all correct robots eventually meet at a point that is not 
predefined, starting from any configuration. Formally, we say that an algorithm A solves the 
gathering problem if any execution of A eventually reaches a configuration where all correct robots 
are on a single point and never leave there. 

Given an execution £ = Cq,C±, ■ ■ ■ , Cj, ■ ■ ■ , we say a configuration Cj is legitimate if all correct 
robots keeps a common location at Cj/ for any f > j. For any configuration Cj, we define m(Cj) 
as the point at which the most robots are located in Cj 5 , and M(Cj) as its number. 

4 We also assume that the robot can reach the computed destination in the move phase for proving the impossibility 
5 If two or more points has the same and maximum number of robots, an arbitrary one from them is determinis- 
tically chosen as the value of m(Cj). 
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3 Impossibility of Byzantine Gathering 



3.1 Discussion and Outline 

Our impossibility proof is derived from the reduction of 1-crash-resilient binary consensus on asyn- 
chronous shared memory systems from 1-Byzantine-resilient gathering on mobile robot systems. 
More precisely, we show that the 1-crash-resilient binary consensus algorithm can be constructed 
using any 1-Byzantine-resilient gathering algorithm. The primary part of this reduction is a simu- 
lator algorithm of Byzantine mobile robot systems, which is "synchronous" in a certain sense, on 
the top of "asynchronous" shared- memory systems. 

Let us first start the explanation of our idea from an analogy bridging those two models. It is 
easy to find some correspondence between atomic snapshot models and mobile robots: We see one 
memory cell of the shared memory as the local state (i.e., the location) of one robot. Then, taking 
a snapshot implies an observation, and writing some value to the cell implies move. This analogy 
makes us look at a framework of the simulation as follows: 

1. Consider the shared memory system of n + 1 processes, each of which corresponds to one 
simulated robot. At the beginning of the simulation, each process "encodes" its proposal to 
the initial location of the robot (e.g., put the robot on (1,0) if the proposal is one and on 
(0,0) if zero). 

2. Each process pi repeats the following task: The process pi first takes a snapshot. Using 
the resultant value of the snapshot as the observed configuration, it activates robot and 
calculates the destination of gathering algorithm. Then, it actually makes rj move to the 
computed destination by writing its coordinate to the corresponding shared-memory cell. 

3. If the observed configuration is legitimate, each process "decodes" the decision value from 
the coordinate of the gathering point. 

Unfortunately, the above framework does not work correctly. We can point out at least two 
flaws: 1) The above simulation framework is not wait-free: To simulate (n + l)-robot systems 
correctly, all n + 1 robots must appear on any configuration. However, if a faulty process is 
initially crashed, the initial location is never set to the corresponding robot. 2) The observation 
and movement is not atomic: To simulate semi-synchronous mobile robots, any concurrent cycle 
must be performed in synchronized manner, which is not guaranteed in the above framework. 
For example, the following behavior is possible: A process takes a snapshot at t, and writing the 
destination at t' (t < t'). Then, during the period [t, t'], another process may simulate two or more 
activations. That behavior never matches the ATOM execution. 

Our reduction circumvents the above difficulties by employing the concept of the BG-simulation 
by Borowski and Gafni [3]. The BG-simulation is originally invented to extend the wait-free im- 
possibility into 1-resilient impossibility. Its principle is to simulate the system of n processes with 
single fault by only two processes with single fault. To make such a simulation successful, we cannot 
statically assign the role of simulated processes to simulator processes (because all of the processes 
assigned to a process pi are simultaneously crashed if pi is crashed). Instead, in the original BG- 
simulation, each process simulates all processes in round-robin manner. Then, one process can be 
simulated by two processes, which may brings some inconsistency problem between two simulations. 
The original BG-simulation resolves those situations by a mutual-exclusion-like mechanism. This 
approach is wait-free as the simulation of 1-resilient systems: Assume that one of two simulating 
processes can be crashed when it is in simulation of a process pi. Then, p^s simulation can be 
blocked forever, but such a block occurs at most once since the number of simulator processes is 
two. Thus, we can regard pi as faulty in the simulation. This feature will be helpful to resolve the 
flaw 1) we mentioned. 

Yet another problem of simulating ATOM, however, still remains even if we simply use the BG- 
simulation. This is because the original BG-simulation does not intend to simulate synchronous 
systems. To clarify this problem, let us consider the following cases: Two simulator processes 
concurrently simulate the consecutive two behaviors x and y of two different processes. First, 
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both processes simulate the behavior x but their simulations are inconsistent. Then, to decide the 
behavior x, both processes must complete the simulation of x. However, since one of two simulator 
processes may be faulty, the process completing the simulation of x cannot wait for the other 
process. It must proceed to the simulation of y in spite of uncertainty of x, which can result in the 
inconsistency between x and y after both of them are fixed. The original BG-simulation avoids this 
uncertainty by reading the past state at the simulation of y. That is, any simulation following x is 
performed as if the behavior x does not occur, which continues until the behavior x is completely 
fixed. Then, importantly, we cannot know when x is fixed because the simulator processes are 
completely asynchronous, and thus the simulation also becomes asynchronous. Consequently, the 
straightforward use of BG-simulation fails to achieve the simulation of our reduction. The trick of 
our reduction algorithm is to make Byzantine behavior absorb this uncertainty. 

3.2 Reduction 
3.2.1 Object slot 

Our reduction algorithm uses a slot shared object, which partly abstracts the idea of the original 
BG-simulation. Informally, a Slot object is the write-once register shared by two processes, which 
is guaranteed to decide one submitted value as the committed value only if no process crashes 
during submission, or two submissions by different processes are not contended. It provides two 
operations submitj(v) and readj(). The operation submitj(v) denotes that pi writes a value v to the 
slot. Since slot is write-once, it can be activated at most once by each process. The read operation 
by pi returns the triple (vo, vi, s), which respectively mean the values submitted by po and pi, and 
the status of the object (if vi is not submitted yet, Vi = _L). The status indicates whether the 
stored value is committed or not, and which is the committed value if committed. If the value is 
committed, the status entry in the returned triple holds the process ID submitting the committed 
value. Otherwise, it holds value _L, which means the slot is not committed yet. Formally, we can 
define the specification of slot object as follows: 

Definition 1 Let O be a slot object. The time when operation O.submitj(vj) begins and ends is 
denoted by bi and 6 . Then, the following properties are guaranteed: 

Validity For any triple (wo,wi,s) returned by a read operation, Wi € holds for any i G 

{0,1}. 

Contended Value Detection If a read operation returns (wq, w\, _L), wo ^ _L and w\ ^ _L hold. 

Persistency If a read operation returns a non-_L status s at t, any read operation invoked after t 
returns status s. 

Commitment Any read operation invoked at i! > max{eo,ei} returns a non-_L status. 

No Contention Commitment If e,- L < b\-i, any read operation invoked after e« returns the 
status s = i. 

Common Value Commitment If vq = v\ holds, any read operation invoked at t' > min{eo,ei} 
returns a non-_L status. 

In this paper, we do not present the implementation of slot object because it is implicitly 
addressed in the original BG-simulation paper [3,4]. The readers who are interested in the imple- 
mentation can refer that paper or a standard textbook of distributed computing. 

6 If the operation O.submiti(vi) does not begin (or does not ends by Pi's crash), we define bi = oo (or e, = oo). 
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3.2.2 Details of Simulation 



Algorithm 1 shows the pseudocode description of our simulation. As explained, this algorithm is 
designed for two-processor asynchronous shared memory systems. In the following argument, let 
{po,Pi} be the set of simulator processes running this algorithm. As the simulation target, we 
consider the robot system of / = 1. Hence the total number of robots is n + 1 . In the simulation, 
r n is regarded as the Byzantine robot. The shared memory has an array E of slot objects. Each 
element of E stores the result of an activation of a robot (represented as a pair of its internal state 
and location), and the whole of array E corresponds to the round-robin scheduling of all correct 
robots. Thus, each slot E[j] stores the behavior of robot rj mo dn- Note that E does not explicitly 
contain the behavior of faulty robot r n . 

The simulation algorithm consists of two blocks: The first for-loop constructs the initial con- 
figuration of the simulated execution, where each process submits the initial configuration of each 
robot with location (0,0) or (1,0) to E[0..n — 1] according to the simulator's proposal value. Sim- 
ulating one-step movement of a robot corresponds to one pass of the following loop block (referred 
as "main loop" in the following argument). The variable u counts the number of simulated steps. 
That is, u-th loop simulates (u — n)-th time step of the simulated execution. Recall that the first 
n slots are used for the construction of the initial configuration. 

In the loop, the simulation exploits the subroutine called getview. It constructs the configuration 
as the observation result of robot r u mo( j n by referring last n slots: The subroutine first takes a 
snapshot of E (referred as E' in the algorithm), and copies the committed values of E'[u — n],E'[u — 
n + 1] , ■ ■ ■ E'[u - 1] to local variable C[0] , C[l] , • • • C[n - 1] . If some slot E[u - n + g] (0 < g < n - 1) 
is uncommitted, one cannot determine the value to be committed, but only obtain two submitted 
values vq and v±. Then, we store Vi into C[g] (i is the ID of the simulator process) and v±-i into 
C[n). The implication of this scheme is to "assume" Vi is the committed value and regard v\-i as 
a Byzantine behavior. If there is no uncommitted slot, one does not have to use the Byzantine 
behavior for conflict resolution of uncommitted slot, and thus an arbitrary location can be given 
to Byzantine robot r n . In our simulation, a "helping" location, which is m(C), is given. The 
getview subroutine also returns a flag q, which returns TRUE if all slots of E'[u — n..u — 1] are 
committed. This information is used to determine whether the simulator process can decide a 
value or not. After the construction of the observation result C, if q = TRUE and the constructed 
configuration is legitimate, pi decides a value decoded from m(C). Note that this decode function 
cannot be defined as decode((0, 0)) = and decode(v) = 1 for all other v. Even if all correct 
robots are initially placed on a common point v, the point of gathering is not necessarily v because 
we consider non-oblivious robots. The way of defining function decode is argued in the following 
correctness proof. 

3.3 Outline of the Correctness Proof 

We informally show how and why our simulation algorithm correctly solves the consensus. We first 
introduce several notations: Each slot consisting in the array E is identified by its index. We say 
that a process pi enters a slot j (or finishes j — 1) at t if it takes j-th snapshot at t. The time when 
Pi enters slot j is denoted by i*-. Let c(j) be the process ID submitting the committed value of 
slot E[j] (say u p c (j) commits E\j]" or Ll p c (j) is committer of E[j]" in what follows), and C* be the 
observation result that pi obtains at the j-th main loop. We define a(j) = j mod n for short (i.e., 
a(j) is the ID of the robot to be activated at the j-th main loop). We also introduce swap operator 
7Tfc. For a given configuration C, we define tt^C to be the configuration obtained by swapping two 
entries C[k] and C[n]. By the definition, ir n C = C clearly holds. 

Intuitively, the role of swap operators is to correct "misunderstanding" of uncertain slots. An 
example can be shown as follows: Let t be the time when the committer po of slot j takes j-th 
snapshot E' . Assume a slot g is uncommitted in E' and p\ commits both slots g and j + 1. Letting 
(xq,x\) be two values submitted to g, since g is uncommitted in E', the constructed observation 
result C® satisfies Cj[a(g)] = xq and C°[n] = X\. On the other hand, since g is committed at the 
construction of Ch C^[a(g)] = x\ holds. In this case, we cannot have the execution connecting 
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Algorithm 1 ConsensusToGathering: Reduction from Consensus to Byzantine Gathering 

1: E[0..oo] of slot (shared objects) 

2: procedure getviewj(j): 

3: q <- TRUE; E' <- snapshot(E) 

4: for I <- to n — 1 do 

5: (v ,vi,s) <- E'[l+j - n].readi() 

6: if s ^ A. then 

7: C[i] <- v s 

8: else 

9: C[l] <r- v 4 ; C[n] <- vi_ 4 ; g ^FALSE 

10: endif 

11: endfor 

12: if all slots in E'\j — n,j — 1] arc committed then 

13: C[n] <- m(C) 

14: endif 

15: return(g, C) 

16: endprocedure 

17: when proposei(w) : 

18: for u <— to n — 1 do /* Construction of initial configuration */ 

19: E[u].subm\ti{{v, 0), INIT„)) /* INIT„ is the initial state of r u */ 

20: endfor 

21: u <- n 

22: loop 

23: (q,C) <- getview 4 (u) 

24: if g = TRUE and C is legitimate then 

25: decidei(decode(m(C))) and exit 

26: endif 

27: £;[u].submiti(move(^( ttmodn ),C,r (ttmodn ),)) ;ui-u + l 

28: endloop 



/ * when s is committed * / 
/* when s is uncommitted */ 



and Cj +1 , but the connection between ir a ( g )Cj and Cj +1 is possible. 

We describe C C if the activation of Byzantine robot r n followed by that of r x makes C 
reach C' . Then, it is assumed that the activation of Byzantine robot r n provides the best case 
movement. That is, C C implies that C can reach C if the Byzantine robot appropriately 
moves after the activation of r x . The intended (but not attained) principle of our simulation 

is that one can organize the simulated execution E = vr 7n Cn^ -^—l 7r Tn+1 C^^ ^— >^ ••• 

itjjCj^ -^1 7r 7j . +1 Cj^ 1 \ • • • for an appropriate sequence r f n ,7n+i,1n+2 ■ • • ■ Unfortunately, that 
intention is broken in some critical case, which is explained below: 

Consider the situation where some process pi starts the (j + n)-th loop before the 
commitment of slot j. In this situation, pi has to make r a (j +n ) move in spite of the 
uncertainty of its location (because E[j] is not committed yet and thus there are two 
possibilities xq and x\ of r Q (j)'s current local state). Then, pi chooses x\ as if E[j] 
already committed with value Xj. However, if E[j] is actually committed with the value 
x\-i by the other process pi-i, the inconsistency arises: We cannot construct a single 
execution that reflects two committed values of slots j and j + n. 

To achieve the consistency in the above scenario, we need to correct the committers of j and 
j + n as if they are committed by the same value. That scenario and the correction scheme is 
formalized by the notions of critical slots and validators, which are defined as follows: 

Definition 2 Let £ = [n + 1, n + I] be a finite-length sequence of slots. A slot j is critical in £ if 
it is uncommitted at t°j+ n in the (j + n)-th snapshot taken by p c ^ and c(j) / c(j + n) holds. 
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Definition 3 Let £ = [n + l,n + l] be a finite-length sequence of slots. The validator p va i(j) of slot 
j in £ is defined as, 

= / Pvai(j+n), if 3 is critical and j < I 
Pvai(j) | p ^ otherwise 

Note that the criticality and validator of each slot is determined for a fixed finite-length £. 
Thus, if we consider a longer sequence £' obtained by adding a postfix sequence into £ , those can 
change because the criticality and the validators of last n slots [j — n + 1, j] depends on the following 
n slots [j + 1, j + n]. Intuitively validators are the processes whose observation results constitute 
the simulated execution. Actually, the simulated configuration corresponding to each slot is defined 
as follows: 

Definition 4 Given a finite-length sequence £ of slots, the simulated configuration Cj of slot j for 
£ is defined as follows: 

• Cj = Cj 0,1 ^ if no slot in [j — n,j — 1] is uncommitted at t^^K 

• If a slot k G \j — n,j — 1] is uncommitted at t"- al ^\ Cj = n^C™ 1 ^ for appropriate 7 (G 
{«(£;), n}) such that n^C™ 1 ^ [a{k)] = ^ a ' (j) holds. 

The key lemma of our reduction scheme is the sequence of simulated configurations (say simu- 
lated execution) constitutes a possible execution. 

Lemma 1 Given a finite- length sequence of slots £ and any j that is smaller than the length of £, 
Cj ^4 Cj+i holds. 

The above lemma implies that there exists an execution C n , C n +i, C n+ 2, • • • under the (n — 1)- 
bounded centralized scheduler. Informally, the uniform agreement and termination properties are 
deduced from this lemma and the correctness of the gathering algorithm. However, the validity must 
be considered more carefully. An important notice is that the validity property is strongly related 
to the way of defining function decode. In the rest of this subsection, we state the appropriate 
definition of function decode guaranteeing the validity of ConsensusToGathering. 

Let us consider the situation where both po and p\ propose the same value (assume zero). 
Then all robots are placed on (0, 0) initially in the simulation. As we mentioned in the previous 
section, however, it does not implies that all robots are gathered at (0, 0) because they are non- 
oblivious. Let C be the configuration where all robots are placed on (0,0). To guarantee the 
validity, we need to decode the point of gathering in any simulated execution starting from C to 
zero. Fortunately since po and p\ has a common proposal, it is ensured that the simulated execution 
of A is uniquely determined: They submit the same value to each slot in [Q..n — 1] From the common 
value commitment property of Slot objects, any slot in [0..n — 1] is immediately committed when 
at least one process finishes it. Thus, when a process enters slot n, all slots of [0..n — 1] has been 
committed. That is, the configurations constructed at slot n are the same among po and pi, and 
thus the submissions of po and p\ at slot n are also the same. Inductively we can conclude that the 
submission values of two processes to any slot are the same. That is, the simulated execution (and 
thus the point of gathering) is uniquely determined from the initial configuration. Let x be the 
point of gathering corresponding to C. Provided decode(v) as the function returning zero if v = x 
and one otherwise, we can guarantee that the algorithm decides zero if all processes propose zero. 
For the case that all processes propose one, we need to show that the gathering is never achieved 
at x. It can be proved as follows: Let C be the configuration where all robots are placed on (1,0). 
By the same reason as the case of all proposing zero, the simulated execution starting from C is 
also uniquely determined. Furthermore, its activation schedule is completely same as the case of 
all proposing zero. Since each robot does not aware of global coordinates, it follows that the robot 
is gathered at x + (1,0) in the simulated execution starting from C . 

The above argument clearly provides the validity of the consensus, and thus the following 
theorem is obtained. 
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Theorem 2 The algorithm ConsensusToGathering correctly solves the consensus problem, and thus 
there exists no gathering algorithm tolerating up to one Byzantine fault even if we assume agreed 
direction of local coordinate systems, instantaneous movements, n-bounded centralized scheduler, 
and non-oblivious and non-uniform robots. 

4 General Formation 

While the algorithm ConsensusToGathering is constructed for leading the impossibility of Byzantine 
gathering, it is easy to use its scheme for obtaining the impossibility of a more general class of 
formation problems. 

We first formally define the general formation problem. A Byzantine formation problem on n+f 
robots is defined by a family T of multisets of locations with cardinality (n + f). An algorithm 
B solves the Byzantine formation problem T if in any execution of B all correct robots eventually 
form and keep the location set that is a subset of an element in T . Clearly, it is not possible to 
show the impossibility of any formation T . For example, if T = (1Z x R) n+ f (i.e., any multiset of 
n + f locations belongs to J 7 ), J 7 can be solved trivially. In the following argument, we consider 
the family of patterns to which we can apply our reduction technique, and explain how we apply 
it. 

We only consider the case of / = 1. We define a 1-neighborhood relation between two location 
configurations P and P', which holds if and only if \P fl P'\ > n. The transitive closure of 1- 
neighborhood relation is denoted by ~. Given a formation problem P, we define its 1-neighborhood 
extension P 1 = {P'\3P eJ,P'~P}. Since the relation ~ is an equivalence relation, we can define 
an equivalent class over P 1 , which is denoted by [P 1 ]- Given P = {vo,Vi,-- - , v n+ i}, we define 
P + x = {vo + x, vi + x, • • ■ , v n +i + x}. We first define the formation problems we can handle in 
our reduction algorithm. 

Definition 5 A formation problem P is said to be bivalent if there exists xp for any P £ P such 
that P and P + xp belong to different classes in [P 1 ]. 

It can be shown that many well-known pattern formation problems (circle, line, and so on) are 
bivalent. We present several examples in the appendix. 

We introduce the modification of the algorithm ConsensusToGathering to lead the impossibility 
of bivalent pattern formation problems. The framework is completely same as the reduction to 
gathering. Each simulator process first tries to place all robots on some coordinates according 
to its proposal, and run the simulation. Finally, the process decodes a decision value when the 
simulation reaches a legitimate configuration. The points to be addressed are (i) the definition of 
functions M(C) and m(C), and (it) the locations of robots initially placed and the definition of 
function decode. We explain the modification of the simulation algorithm for those points: 

Defining M(C) and m(C) The function M(C) is defined as M(C) = max Pe j \L(C) n P\. Let 
P' be the pattern in P maximizing \L n P\ (if two or more patterns in P maximize it, an arbitrary 
one is deterministically chosen). We define m(C) as a coordinate in P' \ L, which is also chosen 
deterministically if \P' \ L\ > 1. 

Initial location and decoding function decode For the proposal zero, we define the initial 
location configuration of n robots ((0, 0), (1, 0), (2, 0), • • • , (n — 1, 0)). That is, the process proposing 
zero submits value ((i, 0), INITj) to slot i (INITj is the initial local state of robot r-j). By the same 
argument as the case of gathering, for that initial configuration, we can uniquely determine the 
legitimate configuration C that the simulated execution eventually reaches. From the definition of 
bivalent formation problems, there exists a vector x such that L(C) + x belongs to a class of [P 1 ] 
different from what L(C) belongs to. We define the initial location configuration for proposal one 
as ((0, 0) + x, (1, 0) + x, (2, 0) + x, • • • , (n — 1, 0)). We further define decode as the function from a 
(legitimate) configuration to {0, 1}. It returns zero if the given configuration belongs to a class of 
P 1 where L belongs, and one otherwise. 



10 



We can prove similarly as Theorem 2 that the modified algorithm correctly solves the consensus. 
Consequently the following theorem is obtained. 

Theorem 3 Any bivalent formation problem is unsolvable in the system with / = 1 even if we 
assume a common orientation of local coordinate systems, instantaneous movements, n-bounded 
centralized scheduler, and non-oblivious and non-uniform robots. 
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A Correctness Proof of Lemma 1 



In the following argument, we use the notation tj = t- and Vj = v- for short. We first show 
two lemmas that are used in the main proof: 

Lemma 2 For any j, Cj + \[a(j)] = Vj holds. 

Proof This trivially holds from the definition of validators and simulated configurations. □ 
Lemma 3 tj < tj+±. 

Proof Suppose for contradiction that tj > tj+± holds. Then p va i(j) / Pval(j+i) clearly holds and 
thus p V ai(j+i) finishes slot j before pn — va i(j+i)) enters j. It implies that p va i(j) is n °t the committer 
of j and thus j is critical. However, to make j critical, p va i(j) must enter j + n at tj + \ or earlier 
because j has been committed at tj+i or earlier, which contradicts tj > tj + ±. □ 

By using these lemmas, we prove Lemma 1. 

Proof From Lemma 2, it suffices to show that Cj[x] = Cj+i[x] holds for any x € [0, n\ \ {a(j),n}. 
Since Cj[a(k)] = Cj + ±[a(k)] holds if slot k has the same status at tj and ij+i, only the scenario we 
have to consider is that the status of some slot k G \j — n + 1, j — 1] changes from uncommitted 
to committed between tj and tj+i (recall tj < tj+± from Lemma 3). We show that Cj[a(k)] = 
Cj + i[a{k)\ holds in this scenario, which is sufficient to prove the lemma. Suppose for contradiction 
that Cj[a(k)] / Cj + \[a(k)]. From the definition of simulated configurations, we have Cj[a(k)] = 
v val(k) Cj + \[a(k)] = v c £ k \ Thus, val(k) ^ c(k), which implies that k is critical. Then p va i(k) 
must stay slot k until Pi- va i(k) enter k + n(> j + 1). It however contradicts the fact k is committed 
at tj + \ because tj + \ is the time when Pi- va i(k) commits j + 1. □ 

B Proof of Theorem 2 

The theorem is proved by showing that the algorithm ConsensusToGathering guarantees the uniform 
agreement, termination, We say that a simulated configuration C is semi-legitimate if there exists 
7 £ [0, n — 1] such that 7r 7 C is legitimate. Note that any legitimate configuration is semi-legitimate 
because of 7r 7n C = C. The following lemma takes an important role in the following proof. 

Lemma 4 Let A be an an arbitrary Byzantine gathering algorithm tolerating up to one fault, 
and £ = Cq,C[,C 2 , ■ ■ ■ Cj be an arbitrary execution of A such that Cg is semi- legitimate and 
r n (C' k ) = m(C' k ) or r n (C{,_ 1 ) holds for any k (1 < k < j). Then, for any configuration C' h in £, 
M{C' h ) > n and m(C ) = m(C' h ) hold. 

Proof We show that M(C[) > n and m(C ) = m(C{) holds. About the following configurations 
C*2, Cg • • • , we can inductively apply the same argument as C[. If all correct robots are located on 
m(Cg) at C' , Cg is already legitimate and the lemma clearly holds. Otherwise, we have r n (Cg) = 
m(Cg) and M(Cg) = n. We show that any robot on m(Cg) never moves during the transition from 
Cg to C{. Let r 7 be the robot not on m(Cg) at C . Since Cg is semi-legitimate, the configuration 
7t 7 Cq is a legitimate configuration. Then the robots on m(Cg) cannot distinguish Cg and 7r 7 Cg, 
and thus they never change their positions. Since we assume that r„(C{) = m(C{)(= r„(Cg)), we 
can conclude all robots on m(Cg) keep their positions at C[. The lemma is proved. □ 

Lemma 5 (Uniform Agreement) If po and p\ decide, their decision values are same. 

Proof Without loss of generality, we assume that po decides at a slot earlier than or equal to 
pi's . Let j and j + h be the slots where po and p\ decide respectively. Since po exits at the 
beginning of slot j, all slots [j,j + h] are solely committed by p\. From the definition, those slots 
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are not critical. It follows that m(C^) = m(Cfc) holds for any k G [j, j + /i]. In addition, we 
can obtain m(Cj) = m(Cj) because all slots of [j — n,j — 1] are committed at the construction 
of Cj (from the definition of simulate configuration Cj, each entry Cj{x] for any x G [0,n] is the 
committed value of the corresponding slot in [j — n,j — 1]). Assume that Cj is semi-legitimate 
and r n (Ck) = m(Cfc) or r n (Cfe_i) holds for any k G [j + 1, j + /i]. Then, from Lemma 4, we can 
conclude m(C°) = m(Cj) = m(Cj + / l ) = m(Cj +/l ) and thus the lemma holds. 

The rest of the proof is to show that those assumptions hold. We first show that the first one 
holds: Since Cj is legitimate and all slots of [j — n,j — 1] are committed at t®, Cj is legitimate if 
those slots are already committed at tj. Otherwise, letting I be the slot in [j — n,j — 1] uncommitted 
at tj, KiCj or Cj is legitimate, which implies that Cj is semi- legitimate. 

Next we look at the second assumption. We give the proof for the case of k = j + 1. For 
any following slot k > j + 1, we can inductively prove the assumption in the same way as that 
case. Consider the following two cases: 1) If all slots in [k — n,k — 1] are committed at t\, we 
obviously have r n (C\) = m(CjJ). 2)A slot I G [A; — n, k — 1] is uncommitted at t\, I is uncommitted 
during because any slot processed after tj is immediately committed when p\ finishes it. 

This implies that the status of I is the same at t\ and tl_ l and thus r n {C\) = r n (C^_ 1 ) holds. The 
lemma is proved. □ 

Lemma 6 (Termination) Each process pi eventually decides unless it crashes. 

Proof We first show that at least one of po and p\ eventually decides. Lemma 1 implies that 
we can have an admissible execution 6 = Co, Ci, ■ ■ ■ Cj for sufficiently large j where the last n 
slots are eventually committed (that is, no process crashes during the processing of those slots) 
and the simulated configurations Cj_ n+ i, Cj_ n+ 2, • • • , Cj corresponding to them are converged to 
a legitimate one. Let m be the point of gathering, that is, m = m(Cj_ n +i) = m(Cj_ n +2) =, • • ■ = 
m(Cj). From the definition of simulated executions the last n configurations are the observation 
results by the committer of each slot. Since Ck for any k G \j — n+ 1, j] is legitimate, its committed 
value is m. Let pi be the process such that no process enters j + 1 after pi does. Since all slots in 
[j — n + 1, j] have been committed with m when pi enters j + 1, pi decides at j + 1. 

The remaining part of the proof is to show that the decision of pi implies that of p\-i- Since pi 
exits the algorithm at the beginning of j + 1, its behavior from the viewpoint of p\-\ is equivalent 
to the crash at j + 1. If crashes, p\-i necessarily decides because we have already proved that at 
least one process eventually decides. Consequently, we can conclude that pi-i eventually decides 
after the decision of pi. □ 



C Examples of Bivalent Formation Problems 

We show that two well-known formation problems, circle and line, belongs to the class of bivalent 
formation problems. 

Example 1 The circle formation is the problem requiring that all robots are placed on different 
locations on the boundary of a common circle 7 . The specification ^" c i rc i e of this problem can be 
stated as follows: /circle = {{vo, Vi, • • • v n+ j}| Vvi, vj : v« / Vj A 3c, r G R : Vvj : |vj — c| = r}. 

Example 2 The line formation is the problem requiring that all robots are placed on different 
locations on a common line, which can be specified as Jii nc = {{vo, Vi, ■ ■ ■ v n +/}|Vvi, Vj : Vj 7^ 
Vj A 3a 2 , 03, ■ ■ ■ , a n+f G R : Vi G [2, n + /] : v» - v = a.;(vi - v )}. 

Theorem 4 If n + 1 > 4, the circle formation and the line formation are bivalent. 

7 Exactly, we consider the non-uniform circle formation problem. A stronger variant is uniform circle formation, 
which must guarantees that all robots are placed evenly on the boundary of a common circle. 
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Proof We only show the proof for the circle formation because the bivalency of the line formation 
can be proved in the same way as the circle. From the definition of the circle formation problem, we 
can associate the circle containing at least n robots to each pattern P G Circle' w hich are denoted 
by cir(P). Let P be an arbitrary pattern in Circle- To prove the theorem, it suffices to show that 
there exists a vector x such that P' = P + x satisfies P' P. Suppose for contradiction that 
P ~ P' holds for any x. Since P ~ P' holds, we have a chain P = Pq ~ Pi ~ P2 ■ ■ ■ ~ Pk = P' 
where Pi G Circle an< ^ ^ ^i+il — n hold for any i (0 < i < k). Since cir(Po) 7^ cir(Pk) clearly 
holds, there necessarily exists h satisfying cir(Ph) 7^ cir(P^ +1 ). However, it contradicts the fact 
that \Ph nPh+i \ > n > 3 because at most three robots can be placed on the intersection of cir(Ph) 
and cir(Ph+i) in P^ and Ph+i (recall that the circle formation requires that all correct robots must 
be located on different positions in legitimate configurations). □ 

We further present a formation problem that is not bivalent. 

Example 3 The 2-gathering is the problem requiring that all robots are placed on at most two 
locations. It is specified as p2gat = {vo, Vi, • • • v n+ j|3xo, xi : Vi G [0, n + f] : v« = xo V Vj = xi}. 

Theorem 5 The 2-gathering problem is not bivalent. 

Proof We show the theorem by showing that [p2gat] consists of a single class. That is, for any 
two patterns P,P' G p2gat, we prove P ~ P' . Let {po,Pi}, and {p' , p[} be the set of locations 
constituting P and P 1 respectively. Taking two patterns Q and Q' in J-^gat where all robots are 
placed in po and Pq, we can easily show that P ~ Q ~ Q' ~ P' holds: One- by-one replacement 
of all robots at pi to po transforms P into Q, which implies P ~ Q. The relations Q ~ Q' and 
Q' ~ P can be obtained similarly. Consequently, we have P ~ P' '. □ 

Because of the above theorem, we cannot prove the impossibility of the 2-gathering problem 
from our reduction. We conjecture that the 2-gathering is solvable if we assume that / = 1 and 
the agreement of the orientations of local coordinate systems. 



15 



